CVE-2022-34466 - OpenCVE

A vulnerability has been identified in Mendix Applications using Mendix 9 (All versions >= V9.11 < V9.15), Mendix Applications using Mendix 9 (V9.12) (All versions < V9.12.3). An expression injection vulnerability was discovered in the Workflow subsystem of Mendix Runtime, that can affect the running applications. The vulnerability could allow a malicious user to leak sensitive information in a certain configuration.

No CVSS v4.0

Attack Vector Network

Attack Complexity Low

Privileges Required Low

Scope Unchanged

Confidentiality Impact High

Integrity Impact None

Availability Impact None

User Interaction None

No CVSS v3.0

Access Vector Network

Access Complexity Medium

Authentication Single

Confidentiality Impact Partial

Integrity Impact None

Availability Impact None

AV:N/AC:M/Au:S/C:P/I:N/A:N

This CVE is not in the KEV list.

Key SSVC decision points have not yet been added.

Vendors	Products
Mendix	Mendix

Configuration 1 [-]

cpe:2.3:a:mendix:mendix:*:*:*:*:*:*:*:*

No data.

References

Link	Providers
https://cert-portal.siemens.com/productcert/pdf/ssa-492173.pdf

History

No history.

MITRE

Status: PUBLISHED

Assigner: siemens

Published: 2022-07-12T10:07:22

Updated: 2024-08-03T09:15:15.104Z

Reserved: 2022-06-24T00:00:00

Link: CVE-2022-34466

Vulnrichment

No data.

NVD

Status : Analyzed

Published: 2022-07-12T10:15:12.087

Modified: 2023-06-29T15:34:01.223

Link: CVE-2022-34466

Redhat

No data.

{"containers": {"cna": {"affected": [{"product": "Mendix Applications using Mendix 9", "vendor": "Siemens", "versions": [{"status": "affected", "version": "All versions >= V9.11 < V9.15"}]}, {"product": "Mendix Applications using Mendix 9 (V9.12)", "vendor": "Siemens", "versions": [{"status": "affected", "version": "All versions < V9.12.3"}]}], "descriptions": [{"lang": "en", "value": "A vulnerability has been identified in Mendix Applications using Mendix 9 (All versions >= V9.11 < V9.15), Mendix Applications using Mendix 9 (V9.12) (All versions < V9.12.3). An expression injection vulnerability was discovered in the Workflow subsystem of Mendix Runtime, that can affect the running applications. The vulnerability could allow a malicious user to leak sensitive information in a certain configuration."}], "problemTypes": [{"descriptions": [{"cweId": "CWE-74", "description": "CWE-74: Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection')", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"dateUpdated": "2022-07-12T10:07:22", "orgId": "cec7a2ec-15b4-4faf-bd53-b40f371f3a77", "shortName": "siemens"}, "references": [{"tags": ["x_refsource_MISC"], "url": "https://cert-portal.siemens.com/productcert/pdf/ssa-492173.pdf"}], "x_legacyV4Record": {"CVE_data_meta": {"ASSIGNER": "productcert@siemens.com", "ID": "CVE-2022-34466", "STATE": "PUBLIC"}, "affects": {"vendor": {"vendor_data": [{"product": {"product_data": [{"product_name": "Mendix Applications using Mendix 9", "version": {"version_data": [{"version_value": "All versions >= V9.11 < V9.15"}]}}, {"product_name": "Mendix Applications using Mendix 9 (V9.12)", "version": {"version_data": [{"version_value": "All versions < V9.12.3"}]}}]}, "vendor_name": "Siemens"}]}}, "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": {"description_data": [{"lang": "eng", "value": "A vulnerability has been identified in Mendix Applications using Mendix 9 (All versions >= V9.11 < V9.15), Mendix Applications using Mendix 9 (V9.12) (All versions < V9.12.3). An expression injection vulnerability was discovered in the Workflow subsystem of Mendix Runtime, that can affect the running applications. The vulnerability could allow a malicious user to leak sensitive information in a certain configuration."}]}, "problemtype": {"problemtype_data": [{"description": [{"lang": "eng", "value": "CWE-74: Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection')"}]}]}, "references": {"reference_data": [{"name": "https://cert-portal.siemens.com/productcert/pdf/ssa-492173.pdf", "refsource": "MISC", "url": "https://cert-portal.siemens.com/productcert/pdf/ssa-492173.pdf"}]}}}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-03T09:15:15.104Z"}, "title": "CVE Program Container", "references": [{"tags": ["x_refsource_MISC", "x_transferred"], "url": "https://cert-portal.siemens.com/productcert/pdf/ssa-492173.pdf"}]}]}, "cveMetadata": {"assignerOrgId": "cec7a2ec-15b4-4faf-bd53-b40f371f3a77", "assignerShortName": "siemens", "cveId": "CVE-2022-34466", "datePublished": "2022-07-12T10:07:22", "dateReserved": "2022-06-24T00:00:00", "dateUpdated": "2024-08-03T09:15:15.104Z", "state": "PUBLISHED"}, "dataType": "CVE_RECORD", "dataVersion": "5.1"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:mendix:mendix:*:*:*:*:*:*:*:*", "matchCriteriaId": "16D49D7F-4CAC-4A92-9CA7-0BDCDAD5B41D", "versionEndExcluding": "9.15.0", "versionStartIncluding": "9.11.0", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "A vulnerability has been identified in Mendix Applications using Mendix 9 (All versions >= V9.11 < V9.15), Mendix Applications using Mendix 9 (V9.12) (All versions < V9.12.3). An expression injection vulnerability was discovered in the Workflow subsystem of Mendix Runtime, that can affect the running applications. The vulnerability could allow a malicious user to leak sensitive information in a certain configuration."}, {"lang": "es", "value": "Se ha identificado una vulnerabilidad en las aplicaciones Mendix usando Mendix 9 (Todas las versiones posteriores a V9.11 incluy\u00e9ndola, anteriores a V9.15), Aplicaciones Mendix usando Mendix 9 (V9.12) (Todas las versiones anteriores a V9.12.3). Se ha detectado una vulnerabilidad de inyecci\u00f3n de expresiones en el subsistema Workflow de Mendix Runtime, que puede afectar a las aplicaciones en ejecuci\u00f3n. La vulnerabilidad podr\u00eda permitir a un usuario malicioso filtrar informaci\u00f3n confidencial en una determinada configuraci\u00f3n"}], "id": "CVE-2022-34466", "lastModified": "2023-06-29T15:34:01.223", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "LOW", "cvssData": {"accessComplexity": "MEDIUM", "accessVector": "NETWORK", "authentication": "SINGLE", "availabilityImpact": "NONE", "baseScore": 3.5, "confidentialityImpact": "PARTIAL", "integrityImpact": "NONE", "vectorString": "AV:N/AC:M/Au:S/C:P/I:N/A:N", "version": "2.0"}, "exploitabilityScore": 6.8, "impactScore": 2.9, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "nvd@nist.gov", "type": "Primary", "userInteractionRequired": false}], "cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 6.5, "baseSeverity": "MEDIUM", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 3.6, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2022-07-12T10:15:12.087", "references": [{"source": "productcert@siemens.com", "tags": ["Patch", "Vendor Advisory"], "url": "https://cert-portal.siemens.com/productcert/pdf/ssa-492173.pdf"}], "sourceIdentifier": "productcert@siemens.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-917"}], "source": "nvd@nist.gov", "type": "Primary"}, {"description": [{"lang": "en", "value": "CWE-74"}], "source": "productcert@siemens.com", "type": "Secondary"}]}